[ SB 20.29 ] ISC-Bind DOS (CVE-2020-8620) and versions in use

Talos recently released and advisory for ISCB-BIND TALOS-2020-1100 - Internet Systems Consortium's BIND TCP Receive Buffer Length Assertion Check Denial of Service Vulnerability CVE-2020-8620 where an unauth DOS is described.

An assertion failure exists within the Internet Systems Consortium’s BIND server versions 9.16.1 through 9.17.1 when processing TCP traffic via the libuv library. Due to a length specified within a callback for the library, flooding the server’s TCP port used for larger DNS requests (AXFR) can cause the libuv library to pass a length to the server which will violate an assertion check in the server’s verifications. This assertion check will terminate the service resulting in a denial of service condition. An attacker can flood the port with unauthenticated packets in order to trigger this vulnerability.

2 interesting things here:

  • version 9.16-9.17
  • Port 53/TCP

from all the ISC-Bind versions in use online, that answered on Port 53/tcp (2.3 mio total) we could identify 13.000 as version 9.16/9.17 (0.8%), while 14% (340.000 installations) dont show versions-info; see an according table and chart below.

bind versions

ISC BIND - versions in use, by total numbers, 2020-08-21
Version Count %
ISC BIND/9.5.x 2700 0.1
ISC BIND/9.6.x 3400 0.15
ISC BIND/9.7.x 20.000 0.9
ISC BIND/9.8.x 209.000 27
ISC BIND/9.9.x 70.096 9
ISC BIND/9.10.x 204000 9
ISC BIND/9.11.x 818000 36
ISC BIND/9.12.x 4800 0.2
ISC BIND/9.13.x 512 0.02
ISC BIND/9.14.x 31000 1.4
ISC BIND/9.15.x 91 0.004
ISC BIND/9.16.x 13000 0.6
ISC BIND/9.17.x 127 0.005
ISC BIND/unknown 338370 14

Fragen? Kontakt: info@zero.bs